Reduce Vulnerabilities in Email and Corporate Systems
The news is littered with reports of organizations struggling to recover from ransomware
attacks. What is ransomware? It’s when criminals lock a company’s files by encrypting
them, then demand payment to regain access. Sometimes the attacker makes an additional
threat of releasing private data if ransom is not paid.
Federal law enforcement recommends that ransom not be paid, removing the incentive
to continue this type of attack. But business continuity and a cost comparison between
ransom and lost revenue/recovery costs makes the decision a difficult one. Even
after recovery, questions remain on how the attack got in and what other malicious
activities were left behind.
A good defense is to prevent opportunities for ransomware by looking at the common
ways the attacks are launched. Unfortunately, as ransomware has become the top producing
revenue source for criminals, the sophistication of the attacks has also increased.
The main attack vectors are email and system security vulnerabilities.
Employees are said to be the weakest link in a company’s security. Why? Because
it costs very little for internet criminals to send millions of emails to employees
with malicious attachments in the hopes that even a small percentage will fall for
But employees who know to be wary of unexpected emails or to double-check the source
are a great frontline defense. Some steps to develop a staff that can spot suspicious
files and requests:
- Give employees an email or a button to report suspicious emails and always respond.
- Even those emails evaluated as safe should be acknowledged.
- Remember to thank them for the report and show how their input improved defenses.
Email filtering is another point to break the attack cycle. Third party services
are available to reduce spam and detect malicious emails. Additional services such
as link analysis can check an email web link in a virtual machine, off your network,
before allowing a connection. Your endpoint anti-virus vendor may have options and
there are dedicated email filtering services that integrate into the delivery path.
The success of ransomware attacks has heightened focus on finding ways into corporate
systems. In a largely automated process, the industrial-scale thieves comb internet
connections looking for known weaknesses. Once found, the list of potential victims
is presented (or sold) to hacking groups to launch attacks. Even smaller firms are
not immune—the automated scans do not take business size into consideration.
Hacking has become an industry that operates at large volume to seek returns. One
of the best defenses against these automated attacks is a robust patching program
that includes validation (see our resource page on Building a Cyber Program).
Automatic updates have become the default for most systems, applications, and even
web browsers, but additional steps are needed to ensure operations continuity and
to validate that systems are working as well as we expect.
Updates, particularly version upgrades, carry a risk of breaking processes. Testing
new patches is a good practice to avoid disruptions. Test systems are typically
updated when patches are released by employees who work on the production versions
regularly. For example, Accounting tries out the patched version of the finance
systems. While the patches are being tested, Security and IT also watch for industry
reports of early problems.
Validation of patching through vulnerability scanning comes in two parts:
- Discovery: Do we know everything that is exposed?
- Success: Did the patches apply properly on all systems?
Scanning each network segment for new devices helps detect new arrivals and checks
that they are part of the update process. Accidents happen, and an old database
server mistakenly added to an internet exposed network will be found by hackers
Keep in mind that not every patch is successful. A machine may not have been on
during patching or an error may have caused the patch to fail. Re-running vulnerability
scans after a patching window allows us to validate we are as protected as expected
after updates. Any outliers can be investigated and patched.